From e72165bb86aec6fc51dcb4d8d715e18be912ab67 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Fri, 30 Sep 2016 11:05:53 +0200
Subject: Fix #73203: passing additional_parameters causes mail to fail

We make sure that there's no unsigned underflow, which happened for `y==0`.
---
 NEWS                                  |  3 +++
 ext/standard/exec.c                   |  4 ++--
 ext/standard/tests/mail/bug73203.phpt | 24 ++++++++++++++++++++++++
 3 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 ext/standard/tests/mail/bug73203.phpt

diff --git a/NEWS b/NEWS
index 233accef90..fae5b65ccd 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2016, PHP 5.6.28
 
+- Standard:
+  . Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb)
+
 13 Oct 2016, PHP 5.6.27
 
 - Core:
diff --git a/ext/standard/exec.c b/ext/standard/exec.c
index 38844393e7..e0ca9140f7 100644
--- a/ext/standard/exec.c
+++ b/ext/standard/exec.c
@@ -372,7 +372,7 @@ PHPAPI char *php_escape_shell_cmd(char *str)
 	}
 	cmd[y] = '\0';
 
-	if (y - 1 > cmd_max_len) {
+	if (y > cmd_max_len + 1) {
 		php_error_docref(NULL TSRMLS_CC, E_ERROR, "Escaped command exceeds the allowed length of %d bytes", cmd_max_len);
 		efree(cmd);
 		return NULL;
@@ -459,7 +459,7 @@ PHPAPI char *php_escape_shell_arg(char *str)
 #endif
 	cmd[y] = '\0';
 
-	if (y - 1 > cmd_max_len) {
+	if (y > cmd_max_len + 1) {
 		php_error_docref(NULL TSRMLS_CC, E_ERROR, "Escaped argument exceeds the allowed length of %d bytes", cmd_max_len);
 		efree(cmd);
 		return NULL;
diff --git a/ext/standard/tests/mail/bug73203.phpt b/ext/standard/tests/mail/bug73203.phpt
new file mode 100644
index 0000000000..6b3bf6618c
--- /dev/null
+++ b/ext/standard/tests/mail/bug73203.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug #73203 (passing additional_parameters causes mail to fail)
+--DESCRIPTION--
+We're not really interested in testing mail() here, but it is currently the
+only function besides mb_send_mail() which allows to call php_escape_shell_cmd()
+with an empty string. Therefore we don't check the resulting email, but only
+verify that the call succeeds.
+--INI--
+sendmail_path=cat >/dev/null
+mail.add_x_header = Off
+--SKIPIF--
+<?php 
+if (substr(PHP_OS, 0, 3) === 'WIN') die('skip won\'t run on Windows');
+?>
+--FILE--
+<?php
+var_dump(
+    mail('test@example.com', 'subject', 'message', 'From: lala@example.com', '')
+);
+?>
+===DONE===
+--EXPECT--
+bool(true)
+===DONE===
-- 
cgit v1.2.1